This procedure was done on a brand-new install of CentOS7 on a Lenovo ThinkPad P70 laptop. This install of CentOS7 desktop was a straight-out-of-the box install with no tweaks at all wherein I selected the GNOME desktop option (not the Plasma!) and I selected a bunch of development tools and libraries as well, but everything was selected from the default installer menu, there were no hacks or tweaks. It's a straightforward procedure not hard to do at all. However, I could not find anywhere on the web where all the steps were gathered in one place. This should theoretically work for RedHat7 desktop and OracleLinux7 Desktop, but it is only tested on CentOS7 GNOME desktop. The setup of Cisco AnyConnect VPN is detailed below. Install EPEL RPMBasically, this webpage here was the starting point which got this successful Cisco AnyConnect VPN configuration rolling. The first step therefore is to install EPEL which more or less is a project of Fedora which provides a high-quality library of packages which are interoperable with CentOS7 and other similar Linuxes. I downloaded the EPEL rpm from here, but for convenience I have attached it to this post as well just in case that link is down for any reason. It's recommended to use the link instead of the copy attached to this post so that you get the latest EPEL from Fedora Genuine. Now install EPEL as shown below. Note that as dependencies EPEL will also install the packages VPNC and VPNC-SCRIPT. That's a good thing those are also needed for Cisco Anyconnect so no worries. [root@localhost Downloads]# rpm -Uvh epel-release-7-8.noarch.rpm warning: epel-release-7-8.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEYPreparing... ################################# [100%]Updating / installing... 1:epel-release-7-8 ################################# [100%][root@localhost Downloads]# yum install vpncLoaded plugins: fastestmirror, langpacksepel/x86_64/metalink | 14 kB 00:00:00 epel | 4.3 kB 00:00:00 (1/3): epel/x86_64/group_gz | 170 kB 00:00:00 (2/3): epel/x86_64/updateinfo | 594 kB 00:00:00 (3/3): epel/x86_64/primary_db | 4.3 MB 00:00:00 Loading mirror speeds from cached hostfile * base: mirror.beyondhosting.net * epel: muug.ca * extras: mirrors.liquidweb.com * updates: mirror.stjschools.orgResolving Dependencies--> Running transaction check---> Package vpnc.x86_64 0:0.5.3-22.svn457.el7 will be installed--> Processing Dependency: vpnc-script for package: vpnc-0.5.3-22.svn457.el7.x86_64--> Running transaction check---> Package vpnc-script.noarch 0:0.5.3-22.svn457.el7 will be installed--> Finished Dependency ResolutionDependencies Resolved=================================================================================================================================================================================================================== Package Arch Version Repository Size===================================================================================================================================================================================================================Installing: vpnc x86_64 0.5.3-22.svn457.el7 epel 85 kInstalling for dependencies: vpnc-script noarch 0.5.3-22.svn457.el7 epel 14 kTransaction Summary===================================================================================================================================================================================================================Install 1 Package (+1 Dependent package)Total download size: 99 kInstalled size: 210 kIs this ok [y/d/N]: yDownloading packages:warning: /var/cache/yum/x86_64/7/epel/packages/vpnc-0.5.3-22.svn457.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEYPublic key for vpnc-0.5.3-22.svn457.el7.x86_64.rpm is not installed(1/2): vpnc-0.5.3-22.svn457.el7.x86_64.rpm | 85 kB 00:00:00 (2/2): vpnc-script-0.5.3-22.svn457.el7.noarch.rpm | 14 kB 00:00:00 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Total 261 kB/s | 99 kB 00:00:00 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7Importing GPG key 0x352C64E5: Userid : "Fedora EPEL (7) <epel@fedoraproject.org>" Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5 Package : epel-release-7-8.noarch (installed) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7Is this ok [y/N]: yRunning transaction checkRunning transaction testTransaction test succeededRunning transactionWarning: RPMDB altered outside of yum. Installing : vpnc-script-0.5.3-22.svn457.el7.noarch 1/2 warning: /etc/vpnc/vpnc-script created as /etc/vpnc/vpnc-script.rpmnew Installing : vpnc-0.5.3-22.svn457.el7.x86_64 2/2 Verifying : vpnc-script-0.5.3-22.svn457.el7.noarch 1/2 Verifying : vpnc-0.5.3-22.svn457.el7.x86_64 2/2 Installed: vpnc.x86_64 0:0.5.3-22.svn457.el7 Dependency Installed: vpnc-script.noarch 0:0.5.3-22.svn457.el7 Complete![root@localhost Downloads]# Install Required Libraries and OpenConnectI got the CentOS7 OpenConnect RPM from Springdale but there should be several places where it can be obtained. This one I will also attach to this blog post so that the exact RPM that I used is available. I did this configuration between midnight and 3AM this morning, so now in the afternoon I'm retracing my footsteps while it's still fresh to get this guide created. However, I believe you can also get this same RPM from elders.princeton.edu. So that's three places to get it - Springdale, Princeton, and here at this blog attached at the bottom of this page. But you can't install it yet because unless you have previously done so, there are some libraries that will be needed to satisfy dependencies for the OpenConnect RPM. Just so that you see what the issue is, below is an example of what you get when trying to install the OpenConnect RPM without the required libraries. In a subsequent step below, those libraries will be easily obtained and then OpenConnect installed perfectly.[root@localhost Downloads]# rpm -Uvh openconnect-7.06-1.sdl7.x86_64.rpm warning: openconnect-7.06-1.sdl7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 41a40948: NOKEYerror: Failed dependencies: liblz4.so.1()(64bit) is needed by openconnect-7.06-1.sdl7.x86_64 libstoken.so.1()(64bit) is needed by openconnect-7.06-1.sdl7.x86_64 libstoken.so.1(STOKEN_1.0)(64bit) is needed by openconnect-7.06-1.sdl7.x86_64[root@localhost Downloads]# Install lz4 LibraryIt's easy as shown below to get the lz4 library. Just run the following command simply using yum to install the library as shown below.[root@localhost Downloads]# yum install lz4Loaded plugins: fastestmirror, langpacksLoading mirror speeds from cached hostfile * base: mirror.beyondhosting.net * epel: mirror.steadfast.net * extras: mirrors.liquidweb.com * updates: mirror.stjschools.orgResolving Dependencies--> Running transaction check---> Package lz4.x86_64 0:r131-1.el7 will be installed--> Finished Dependency ResolutionDependencies Resolved=================================================================================================================================================================================================================== Package Arch Version Repository Size===================================================================================================================================================================================================================Installing: lz4 x86_64 r131-1.el7 epel 70 kTransaction Summary===================================================================================================================================================================================================================Install 1 PackageTotal download size: 70 kInstalled size: 220 kIs this ok [y/d/N]: yDownloading packages:lz4-r131-1.el7.x86_64.rpm | 70 kB 00:00:00 Running transaction checkRunning transaction testTransaction test succeededRunning transaction Installing : lz4-r131-1.el7.x86_64 1/1 Verifying : lz4-r131-1.el7.x86_64 1/1 Installed: lz4.x86_64 0:r131-1.el7 Complete!The libstoken library is also needed so install it simply using yum again as shown below. [root@localhost Downloads]# yum install stoken-libsLoaded plugins: fastestmirror, langpacksLoading mirror speeds from cached hostfile * base: mirror.beyondhosting.net * epel: ca.mirror.babylon.network * extras: mirrors.liquidweb.com * updates: mirror.stjschools.orgResolving Dependencies--> Running transaction check---> Package stoken-libs.x86_64 0:0.6-1.el7 will be installed--> Processing Dependency: libtomcrypt.so.0()(64bit) for package: stoken-libs-0.6-1.el7.x86_64--> Running transaction check---> Package libtomcrypt.x86_64 0:1.17-23.el7 will be installed--> Processing Dependency: libtommath >= 0.42.0 for package: libtomcrypt-1.17-23.el7.x86_64--> Processing Dependency: libtommath.so.0()(64bit) for package: libtomcrypt-1.17-23.el7.x86_64--> Running transaction check---> Package libtommath.x86_64 0:0.42.0-4.el7 will be installed--> Finished Dependency ResolutionDependencies Resolved=================================================================================================================================================================================================================== Package Arch Version Repository Size===================================================================================================================================================================================================================Installing: stoken-libs x86_64 0.6-1.el7 epel 36 kInstalling for dependencies: libtomcrypt x86_64 1.17-23.el7 epel 224 k libtommath x86_64 0.42.0-4.el7 epel 35 kTransaction Summary===================================================================================================================================================================================================================Install 1 Package (+2 Dependent packages)Total download size: 296 kInstalled size: 707 kIs this ok [y/d/N]: yDownloading packages:(1/3): libtomcrypt-1.17-23.el7.x86_64.rpm | 224 kB 00:00:00 (2/3): libtommath-0.42.0-4.el7.x86_64.rpm | 35 kB 00:00:00 (3/3): stoken-libs-0.6-1.el7.x86_64.rpm | 36 kB 00:00:00 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Total 368 kB/s | 296 kB 00:00:00 Running transaction checkRunning transaction testTransaction test succeededRunning transaction Installing : libtommath-0.42.0-4.el7.x86_64 1/3 Installing : libtomcrypt-1.17-23.el7.x86_64 2/3 Installing : stoken-libs-0.6-1.el7.x86_64 3/3 Verifying : libtommath-0.42.0-4.el7.x86_64 1/3 Verifying : libtomcrypt-1.17-23.el7.x86_64 2/3 Verifying : stoken-libs-0.6-1.el7.x86_64 3/3 Installed: stoken-libs.x86_64 0:0.6-1.el7 Dependency Installed: libtomcrypt.x86_64 0:1.17-23.el7 libtommath.x86_64 0:0.42.0-4.el7 Complete!Install vpnc-scriptThis section was added a few days later. If you get a dependency error about "vpnc-script" then you will have to install that too. Seems I may have overlooked that vpnc-script is a dependency or may have installed it earlier when I first worked this out (at 3AM or so) and discovered this while installing openconnect on another server. Use yum to install vpnc-script as shown below if the install of openconnect complains about vpnc-script dependency. I've included the output that shows openconnect install failing due to the missing vpnc-script dependency for completeness. [root@centos-72d ~]# rpm -Uvh openconnect-7.06-1.sdl7.x86_64.rpm warning: openconnect-7.06-1.sdl7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 41a40948: NOKEYerror: Failed dependencies: vpnc-script is needed by openconnect-7.06-1.sdl7.x86_64[root@centos-72d ~]# yum install vpnc-scriptLoaded plugins: fastestmirror, langpacksLoading mirror speeds from cached hostfile * base: mirror.eboundhost.com * epel: ftp.osuosl.org * extras: mirror.umd.edu * updates: mirror.tzulo.comResolving Dependencies--> Running transaction check---> Package vpnc-script.noarch 0:0.5.3-22.svn457.el7 will be installed--> Finished Dependency ResolutionDependencies Resolved============================================================================================================================================================================= Package Arch Version Repository Size=============================================================================================================================================================================Installing: vpnc-script noarch 0.5.3-22.svn457.el7 epel 14 kTransaction Summary=============================================================================================================================================================================Install 1 PackageTotal download size: 14 kInstalled size: 19 kIs this ok [y/d/N]: yDownloading packages:vpnc-script-0.5.3-22.svn457.el7.noarch.rpm | 14 kB 00:00:00 Running transaction checkRunning transaction testTransaction test succeededRunning transaction Installing : vpnc-script-0.5.3-22.svn457.el7.noarch 1/1 Verifying : vpnc-script-0.5.3-22.svn457.el7.noarch 1/1 Installed: vpnc-script.noarch 0:0.5.3-22.svn457.el7 Complete![root@centos-72d ~]#Install OpenConnect Now the OpenConnect RPM can be installed successfully as shown below.[root@localhost Downloads]# rpm -Uvh openconnect-7.06-1.sdl7.x86_64.rpm warning: openconnect-7.06-1.sdl7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 41a40948: NOKEYPreparing... ################################# [100%]Updating / installing... 1:openconnect-7.06-1.sdl7 ################################# [100%][root@localhost Downloads]# rpm -qa | egrep 'openconnect|vpnc'openconnect-7.06-1.sdl7.x86_64vpnc-script-0.5.3-22.svn457.el7.noarchvpnc-0.5.3-22.svn457.el7.x86_64[root@localhost Downloads]#Test the Cisco AnyConnect VPNThis AnyConnect client has no GUI so it is just run from a terminal as root as shown below. Name of the vpn server used for this example and other private information has been redacted in the example connection shown below. When you get the "Established blah blah blah connection..." it means that the VPN is connected and ssh to servers and other resources such as websites on the VPN is now available. Be sure to leave that terminal window open for the duration of the VPN session. Closing that window terminates the VPN session. [oracle@localhost Downloads]$ su - rootPassword: Last login: Sat Aug 13 19:57:21 EDT 2016 on pts/0[root@localhost ~]# openconnect https://vpn.xxxxxxxxxxxx.comPOST https://vpn.xxxxxxxxxxxx.com/Attempting to connect to server xx.xx.xxx.x:443SSL negotiation with vpn.xxxxxxxxxxxx.comServer certificate verify failed: signer not found <-- Means the VPN certificate for this VPN unsigned np...just answer yes below and continue... Certificate from VPN server "vpn.xxxxxxxxxxxx.com" failed verification.Reason: signer not foundEnter 'yes' to accept, 'no' to abort; anything else to view: yesConnected to HTTPS on vpn.xxxxxxxxxxxx.comXML POST enabledPlease enter your username and password.GROUP: [datacenter|dmz|poc-mgmt|poc1|poc2|poc3|poc5|selfservice]:datacenterPOST https://vpn.xxxxxxxxxxxx.com/XML POST enabledPlease enter your username and password.Username:xxxxxxxPassword:POST https://vpn.xxxxxxxxxxxx.com/Got CONNECT response: HTTP/1.1 200 OKCSTP connected. DPD 30, Keepalive 20Connected tun0 as xx.xx.xxx.xx, using SSLEstablished DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).Manage File: /etc/resolv.confThe /etc/resolv.conf file may get updated with DNS servers for the VPN as shown below. This overwrite blanks out my local nameserver for my laptop network so I need to add back in my local nameserver in the correct position (first) as shown below. Note IP addresses of actual nameservers are redacted. The /etc/resolv.conf says in its header that VPNC generated it so there may be some way to configure VPNC to add-in that extra local nameserver somehow and at some point I need to return and solve that issue so that it's not necessary to add the nameserver manually every time the VPN is connected. The added nameserver must be added in the first position. [root@stlns01 data]# cat /etc/resolv.conf#@VPNC_GENERATED@ -- this file is generated by vpnc# and will be overwritten by vpnc# as long as the above mark is intact# Generated by NetworkManagersearch robinsystems.com. robinsystems.comnameserver 10.207.39.1 <-- This nameserver has been added back in manually with vi after VPN startednameserver 10.7.10.21nameserver 10.7.10.12[root@stlns01 data]#Comments, Questions, ObservationsPlease send me an email at gilstanden@hotmail.com if you find any errors or omissions in this procedure or to share your observations with it such as improvements or simplifications. |
CentOS7 > CentOS7 Desktop >
